[cap-talk] Virtual Machine Based Rootkits

Norman Hardy norm at cap-lore.com
Sat Aug 5 20:34:58 EDT 2006 

On Aug 4, 2006, at 2:32 PM, Jed at Webstart wrote:

> At 12:58 PM 8/4/2006, David Hopwood wrote:
>> ...Another is the VT/Pacifica-specific features themselves --  
>> there was no
>> attempt (and it would have been much more complex) to make these
>> architectures *recursively* virtualizable.
>
> That's interesting.  That would seem to suggest that if you're running
> a VMM and some cracker tried to install a VNBR by coming in through
> a guest OS, then they wouldn't be able to make use of the  
> virtualizability
> features of VT or Pacifica in any case.  Then even if they were  
> somehow
> able to break through to the hardware level and install their VMBR, it
> would seem that their doing so would mess up you're running your
> own VMM - making their VMBR quite visible indeed.
>
> I'm not sure where the truth lies here, but this thought that building
> virtualizable processors will somehow make them more vulnerable
> to rootkits seems vastly oversold to me at this point.

Seems right

> Perhaps Norm remembers this technical point.  I seem to recall that
> some of the IBM 370 computers came with virtual machine assist that
> deliberately did provide for recursive virtualizability.  Do you  
> recall
> that Norm?  Does anyone know if there are still VM370 systems
> running VMMs?

Long story. There were versions of VM/370 that could run several deep.
IBM first added VM-assist which was an option the CP could select that
caused the hardware to 'do the right thing' with certain simple frequent
privileged instructions. CP would select this option when running
virtually privileged code.
Different models of 370 could virtualize different subsets of the  
privileged
functions and CP retained the ability to interpret all priv-ops.
I think that the virtual machines lacked VM-assist.
Later IBM introduced SIE (Start Interpretive Execution).
They released an incomplete specification of this instruction, but  
changed
their mind and never released the complete specs.
Roughly SIE virtualized the entire privileged mode except for I/O.
The memory operand of the SIE pointed to a memory area where
images of virtual special registers were kept.
I think it was never documented completely for public consumption.
SIE was a privileged instruction for no reason that IBM would reveal.
There was no reason that CP could not have emulated SIE as it emulated
other priv-ops but I think that it did not.
We (Tymshare) stopped using VM/370 when IBM ceased delivering
the source code.
SIE was subsequent to that.


> --Jed http://www.webstart.com/jed/
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list